The ‘Pooled-Risk’ Model is Putting DeFi Users at Risk. Here’s What Needs to Change.
In decentralized finance, a structural flaw is putting everyone at risk: the pooled-risk model. While you may assume that the safety of your collateral depends only on your loans, think again.
The riskiest assets deposited by other users could compromise the entire protocol, and your funds with it. Your Bitcoin, gone. Granite is on a mission to fix this.
What, Exactly, is ‘Pooled-Risk’?
Most DeFi lending protocols allow multi-collateral and multi-borrow, where multiple different tokens can be used as collateral and all of these tokens are rehypothecated (lent out) for others to borrow. On the surface this seems beneficial since it is capital efficient and allows borrowers to earn yield on their deposited collateral. However, behind the scenes this combination creates a cross-margin pool risk, which exposes all collateral in the protocol to the most volatile asset (or riskiest oracle) deposited by any user.
Here’s how it works:
• Rehypothecation: Your collateral is not just sitting unused in a vault; it’s lent out to other borrowers. This turns all borrowers into de facto lenders and creates liquidity risk, as your asset could be tied up in loans made to other borrowers.
• Multi-asset borrowing: Users can borrow any of the collaterals in the protocol, including collateral that you deposited, using whatever collateral they deposited as the backing - this effectively links all collateral together. A single bad collateral asset could then cause a cascading failure that affects all users, even those who deposited more stable collateral like BTC.
The pooled-risk model means that no matter how conservative you are as a borrower, you are sharing the risk of every other asset in the protocol.
How Pooled-Risk Models Fail: An Example
Let’s break down an example to see how this can play out:
Multiple Assets in the Pool: A protocol allows users to borrow and lend many assets such as BTC, USDC, ETH, and XYZ. How much a user can borrow is determined by the value of their collateral (which in turn is determined by oracles)
Alice Deposits BTC as Collateral: Alice deposits BTC as collateral and borrows USDC.
Oracle Error: The oracle for XYZ reports an incorrectly high price, either due to an error or a price manipulation attack. This falsely increases the value of XYZ held as collateral by users.
Bob Over-borrows BTC: Bob has deposited XYZ as collateral. He sees that his collateral is overvalued, giving him access to far more borrowing power than he should have. He takes advantage of this error and borrows as much BTC as he can, much more than he should be able to given the real price of XYZ. Other XYZ holders do the same.
Price Correction and Cascading Failures: Eventually the oracle error is corrected and the value of XYZ drops sharply. XYZ used as collateral cannot cover users’ debts, leaving positions under water with insufficient incentives for liquidators to take action. This creates bad debt for the protocol, and incentivizes a run on the bank by users to withdraw any remaining collateral.
Alice Cannot Withdraw: Alice repays her USDC loan and tries to withdraw her BTC, but there’s a problem: Bob hasn’t returned the BTC that he borrowed, and there is no incentive for him to do so since his borrowed BTC is worth more than his XYZ collateral. Many others like Bob also decide not to repay their loans, to the point that there is no BTC left in the protocol.
Even though Alice has repaid her debt, her BTC collateral isn’t available to withdraw because it’s lent to Bob (and other borrowers). There is no reason for Bob or the other borrowers to repay their loans, and Alice cannot recover her BTC. She is left holding the bag.
This example illustrates how rehypothecation and multi-asset borrowing turn what should be independent collateral into a shared risk, undermining security across the entire protocol.
The Solution: Isolated Markets
At Granite, we recognized the problems with pooled-risk models and designed our protocol to protect users from these risks by using an isolated market model. This approach eliminates the interdependency between assets that causes cascading failures in pooled-risk protocols.
Here’s how Granite’s isolated market model works:
- No Rehypothecation: Your collateral stays yours - Granite never lends it out to other users. This ensures that your BTC is always available when you need it.
- Single Asset Pools: Each market in Granite has only a single borrowable asset, creating a predictable, transparent risk profile with no surprises. There’s no mixing of volatile tokens that could lead to unpredictable failures.
By isolating each market, Granite reduces systemic risk and safeguards users from the cascading failures of pooled-risk models
Why Granite is the Future of Bitcoin DeFi
Granite’s isolated markets deliver security and transparency, empowering Bitcoin holders with access to liquidity without exposing them to hidden risks. Our approach aligns with DeFi’s vision, providing users with true control over their financial lives.